'

Security firms clash over phishy e-mails

Banks and security experts cannot agree if it is safe for banks to use e-mail for communicating with their customers because the medium has been hijacked by criminals who try and fool online banking users into divulging their log-in details. Last week, ZDNet Australia reported that an e-mail sent by Citibank confused both customers and security experts because neither group could distinguish the genuine e-mail from a phishing attack.

Banks and security experts cannot agree if it is safe for banks to use e-mail for communicating with their customers because the medium has been hijacked by criminals who try and fool online banking users into divulging their log-in details.

Last week, ZDNet Australia reported that an e-mail sent by Citibank confused both customers and security experts because neither group could distinguish the genuine e-mail from a phishing attack.

Security experts criticised Citibank because its e-mail asked recipients to update their online bank log-in details due to an update of the company's security system. Experts claimed the bank had contradicted its own security guidelines and confused its customers.

In response to the story, antivirus firm Sophos on Thursday highlighted the increasing number of phishing attacks but claimed that even though there is "little room for error", banks could safely continue using e-mail for contacting customers -- as long as they take precautions.

Ron O'Brien, senior security analyst at Sophos, published an article that said: "58 percent of business PC users receive at least one phishing e-mail each day, while, alarmingly, 22 percent receive more than five a day, according to a recent Web poll conducted by Sophos."

"Those numbers, combined with today's more strategically targeted attacks, leave little room for error. If financial institutions have proper network security in place and are consistent in their messaging, customers will not have to guess whether they are dealing with a phishing attack," said O'Brien.

But this statement was slammed by Neil Campbell, the recently appointed CEO of e-mail security specialist Network Box. Last week, while still working for Dimension Data, he advised banks to stop sending e-mails to customers in order to "reduce the effectiveness of phishing".

On Wednesday, he told ZDNet Australia that Sophos' response was unrealistic.

"The approach that Sophos recommends breaks one of the basic tenets of security; keep it simple," Campbell said.

When planning information security controls you need to take the computer-literacy of your users into account. You have to ask yourself if it is reasonable to ask the average Internet banking user to trust some e-mails that are apparently from their bank but not others that are also apparently from their bank."

"If security was purely a theoretical exercise then I'd agree with Sophos, but security is an exercise that is firmly grounded in reality and the reality in this case is that you will confuse your users and be unwittingly complicit in the proliferation and success of phishing scams. As Mr O'Brien himself points out, there is little room for error," said Campbell.

Richard Rundle, APAC manager at e-mail security firm GFi Software, agreed that a messaging system that is only accessible after the initial banking log-in process would make phishing less effective.

"I bank with the National Australia Bank (NAB) -- the only way to communicate with them is through their Internet banking, because they have a messaging interface," said Rundle, who explained that because of this policy, if he gets an e-mail seemingly from the NAB he knows it must be a phishing attack and can delete it.

Rundle said HSBC Hong Kong is an example of another bank that is, along with Citibank, confusing its customers.

"I also bank with HSBC in Hong Kong and you never, ever, know when you get an e-mail from them whether it is real or not," said Rundle.

However, an HSBC Hong Kong spokesperson denied its e-mails were confusing and claimed the bank suffers "very few" losses related to phishing. They said it is not difficult to spot a legitimate e-mail because they never ask for personal details or account information.

"In phishing attacks, people are asked to reveal account information and personal details of a nature that no bank ever would. Passwords and PINs is what [phishers] are after. No bank, certainly not this one, will ever ask you to reveal those," the spokesperson told ZDNet Australia in a telephone interview.

Tim Sheedy, senior analyst at Forrester Research, said on Wednesday that financial organisations should have set procedures to ensure that potentially confusing e-mails are never sent out. "Any organisation worth its weight -- such as a telco or a bank -- is going to have processes in place to stop that from happening," he said.